From: Jouni Malinen <j@w1.fi>
Date: Sun, 8 May 2022 09:19:42 +0000 (+0300)
Subject: WNM: Try to make bounds checking easier for static analyzers
X-Git-Tag: hostap_2_11~1918
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fe1dc9ba772fbf426b45983e7714087bcb74ecd0;p=thirdparty%2Fhostap.git

WNM: Try to make bounds checking easier for static analyzers

The length of the URL, i.e., pos[0], is verified here to be within the
bounds of the recieved message, but that seemed to be done in a manner
that might bee too complex for static analyzers to understand.

Signed-off-by: Jouni Malinen <j@w1.fi>
---

diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
index 96160dccb..0a4b9d474 100644
--- a/wpa_supplicant/wnm_sta.c
+++ b/wpa_supplicant/wnm_sta.c
@@ -1453,15 +1453,22 @@ static void ieee802_11_rx_bss_trans_mgmt_req(struct wpa_supplicant *wpa_s,
 
 	if (wpa_s->wnm_mode & WNM_BSS_TM_REQ_ESS_DISASSOC_IMMINENT) {
 		char url[256];
+		u8 url_len;
 
-		if (end - pos < 1 || 1 + pos[0] > end - pos) {
+		if (end - pos < 1) {
 			wpa_printf(MSG_DEBUG, "WNM: Invalid BSS Transition "
 				   "Management Request (URL)");
 			return;
 		}
-		os_memcpy(url, pos + 1, pos[0]);
-		url[pos[0]] = '\0';
-		pos += 1 + pos[0];
+		url_len = *pos++;
+		if (url_len > end - pos) {
+			wpa_printf(MSG_DEBUG,
+				   "WNM: Invalid BSS Transition Management Request (URL truncated)");
+			return;
+		}
+		os_memcpy(url, pos, url_len);
+		url[url_len] = '\0';
+		pos += url_len;
 
 		wpa_msg(wpa_s, MSG_INFO, ESS_DISASSOC_IMMINENT "%d %u %s",
 			wpa_sm_pmf_enabled(wpa_s->wpa),